Key takeaways

  • Hackers have been caught selling counterfeit smartphones preloaded with stealthy malware designed to steal users’ crypto and sensitive data.
  • The Triada Trojan virus is a crypto hacking method that buries malware in a phone’s hardware so attackers can access crypto wallets, read messages, spoof phone calls, and intercept 2FA messages.
  • Counterfeit phones enter the supply chain through auction marketplaces and unofficial retailers at an irresistible knockdown price.
  • To avoid this type of mobile crypto hack, you should always buy phones from trusted retailers or directly from brands.

Imagine unboxing your brand-new smartphone. You set it up, try out the new camera, and install your favorite apps. You even download your trusted crypto wallet directly from the app store and deposit your crypto for safekeeping. It’s exciting, until one day you open up your crypto wallet to a horrible sight… It’s empty. 

How could this happen? You did everything right, double-checked your downloads, and even used two-factor authentication (2FA). But what you didn’t know is that you were compromised the moment you powered on your new phone. 

Hackers are now hiding dangerous malware in phones before they reach users, a tactic known as a fake phone crypto scam. This article explains how it all goes down.

What are fake phone crypto scams?

Fake phone crypto scams involve selling counterfeit smartphones that look and feel like a brand-new, genuine phone. On the outside, they look just like any other Android phone, but inside, they come loaded with hidden malware. This sneaky malware is designed to steal a user’s crypto.

Hackers targeting crypto users aim to get these phones in the hands of crypto users, traders and investors. Essentially, anyone who might use a crypto wallet or app on their phone is a potential target. The phone’s hardware and software operate the same as a normal device, so you might not realize anything is wrong until it’s too late. 

The scale of this scam has been growing in recent years, particularly since researchers discovered a fraudulent campaign in 2025 — by then, over 2,600 victims had been reported, all believing they had purchased legitimate Android phones.

The Android devices are sold at reduced prices but are riddled with malware

Cybersecurity experts at Kaspersky have found that thousands of fake Android phones are being sold online with malware pre-installed. The malware known as Triada Trojan runs secretly on these phones and executes these malicious actions on infected devices:

  • Steals credentials from messaging and social media apps while sending or deleting messages on WhatsApp and Telegram to impersonate users.
  • Hijacks cryptocurrency by swapping wallet addresses and tracks browsing to redirect links.
  • Spoofs phone numbers during calls to reroute conversations and intercepts or manipulates SMS messages.
  • Enables premium SMS subscriptions to incur charges and remotely installs additional malicious apps.
  • Blocks network connections to evade detection and disrupt security defenses.

Did you know? According to Chainalysis, crypto scams could be set for their biggest year ever in 2025 after reaching $9.9 billion in 2024. The prevalence of generative AI is making scams more affordable and scalable for bad actors. 

How does fake phone crypto malware work?

Triada Trojan was first discovered in 2016, when it was used for extracting data from financial apps and messaging platforms, such as WhatsApp and Facebook. Originally, it would infect a device through a phishing campaign or a malicious download.  

Now, though, scammers are pre-installing the malware on smartphones before selling them to the general public. The real threat lurks deep in the phone’s operating system. Unlike the typical viruses you might accidentally download, this malware is pre-installed before you even touch the device.

When Triada Trojan is present on a device, it gives criminals almost unlimited access to the phone. In simple terms, attackers are granted access to the device, which enables them to replace crypto wallet addresses and drain funds. Criminals can reach right into your crypto wallet, grab your keys or login credentials, and even move your funds without you noticing.

“The authors of the new version of Triada are actively monetizing their efforts; judging by the analysis of transactions, they were able to transfer about $270,000 in various cryptocurrencies to their crypto wallets,” says Dmitry Kalinin, a security expert at Kaspersky. 

Adding to this, the Trojan malware gives hackers the ability to hijack personal data like user account information and read messages. This includes 2FA messages. 

With this level of access, it exposes a user’s complete set of financial accounts, with the ability to steal passwords and intercept 2FA messages. Even more worryingly, Triada has the ability to spoof phone numbers for calls and intercept private conversations. 

Because the malware is baked into the phone’s core software, factory resets and antivirus apps usually can’t get rid of it. It is almost impossible to detect or remove. Your digital assets are at risk as long as you use the device.

Did you know? Triada malware is designed to run in the device’s RAM, which helps it avoid detection from traditional antivirus tools and survive factory resets. This makes it incredibly hard to spot and remove from an infected phone. 

How hackers distribute counterfeit phones

So, how do criminals manage to install this malware on devices before they reach the final user? Well, there are certain stages of the supply chain that have become compromised. Retailers might not even know they are selling infected phones. 

Generally, you’ll find counterfeit phones for sale on less reputable online stores, auction marketplaces and unofficial retailers. The scammers even design devices that replicate well-known brands. This makes it tough to spot a fake. For consumers, the knockdown price of these Android phones is too tempting to ignore.

Although the scam has been most common in Russia, it is spreading globally, with victims in Asia, Europe and North America. The ability for attackers to sell phones easily online means that shoppers on auction sites and less reputable shops could become victims. 

If you’re buying a new smartphone, it’s important to take precautionary steps to ensure you don’t get caught. 

Did you know? Fake phone crypto hacks are a type of scam known as “zero-click attacks.” They allow hackers to access your crypto without any action from the users. The code is executed without any user input, which is the reason they are so threatening and hard to spot. 

Protecting yourself from fake phone crypto scams

As crypto becomes more popular, it’s likely that hackers will only become more motivated to dupe unwitting users. A few simple habits can make the difference between keeping hold of your assets and data or losing everything in a matter of seconds. 

Here are several simple crypto security tips to protect crypto from hackers:

  1. Only buy smartphones directly from official brands or reputable retailers. Avoid purchasing cheap or used devices from auction sites or unknown shops. 
  2. Always install the official operating system updates immediately. Don’t download unknown applications — especially crypto wallets, which should only be downloaded from official app stores and brand websites. Even then, double-check the publisher before installing. 
  3. Be suspicious of weird device behaviors. For example, sudden battery drain, strange pop-ups and apps you don’t recognize.
  4. Don’t click on unsolicited messages and links. If you receive a link from someone you don’t know, avoid it because it could be part of a phishing scam. 
  5. Turn on 2FA for all crypto and financial accounts; this adds a security layer to stop or slow attackers down. 
  6. Keep long-term holdings on an offline hardware wallet. Don’t keep large amounts of crypto on a portable internet-connected device. 

Finally, stay vigilant for suspicious wallet activity and avoid rushed fund transfers. Deploy trusted antivirus tools and update your device to thwart malware threats like Triada.